Privacy Policy
Last Updated: April 17, 2026 · Effective: April 17, 2026
1. Who We Are
Shieldly ("we", "us", "our") is a privacy-focused browser extension distributed on the Chrome Web Store. This Privacy Policy explains how the Shieldly extension handles data on your device. It applies to the Shieldly browser extension and the website shieldly.cc.
2. Data Collection
Shieldly does not collect any personal data, browsing history, or usage analytics. We have no servers for collecting user data, no cloud infrastructure for user data, and no telemetry.
We do not:
- Collect your browsing history, URLs, or page content
- Track your clicks, form inputs, or keystrokes
- Use cookies, pixels, or any third-party trackers
- Use any analytics service (no Google Analytics, no Sentry, no PostHog, nothing)
- Fingerprint your device or browser
3. Local Data Storage
All data generated or configured by Shieldly is stored locally on your device using:
chrome.storage.local— for settings, virtual identities, site rules, trusted sites, and license activation state- IndexedDB — for audit log entries (automatically pruned after 30 days)
Sensitive fields (virtual identity content) are encrypted using the Web Crypto API (AES-256-GCM) before being written. The encryption key is generated locally on first run and never leaves your device. You can wipe all local data at any time by removing the extension.
4. Virtual Identity Data
Virtual identities (emails, demo card numbers, phone numbers, addresses) are randomly generated on your device using JavaScript's built-in pseudo-random generators and local templates. They are placeholder values and are not connected to any real accounts or payment systems.
Demo card numbers use the industry-standard test prefix 4242 and are clearly marked as "Test/demo only — not a real payment method". They will not work for real transactions.
5. Fingerprint Protection
Shieldly helps reduce unwanted browser fingerprint tracking by adding minor variations to specific browser API responses (Canvas, WebGL, Navigator, Audio, Hardware, Screen, Timezone, Fonts). This is done entirely on your device. The protection script does not read, collect, modify, or transmit page content.
6. Tracker Blocking
Tracker blocking uses Chrome's built-in declarativeNetRequest API with a static, bundled ruleset. The ruleset is updated only with extension updates. No external rule servers are contacted, no dynamic rules are downloaded.
7. Pro License Validation
If you purchase Shieldly Pro, your license key is validated against our payment provider's servers (Creem.io) once during activation, through a thin Cloudflare Worker proxy we operate.
The only data transmitted during license activation/validation is:
- Your license key (entered by you)
- A random, device-local
instance_id(generated on activation; not linked to your identity)
We do not transmit your email, IP, browsing data, identities, or logs to any server. Our Cloudflare Worker does not log request bodies and does not persist any data beyond the response cycle. License status is cached locally and revalidated approximately every 24 hours; Pro features work offline between validations.
8. Permissions Justification
| Permission | Why Shieldly needs it |
|---|---|
declarativeNetRequest | Block known trackers via Chrome's built-in engine using a static bundled ruleset. |
declarativeNetRequestFeedback | Display per-site blocked-tracker counts to you in the popup. |
storage | Persist encrypted settings, identities, and site rules locally. |
activeTab | Read the current tab's hostname to show site-specific protection status when you open the popup. |
scripting | Inject fingerprint-protection code at page load. No page content is read. |
contextMenus | Provide the right-click "Fill Virtual Identity" option on form fields. |
alarms | Schedule daily cleanup of audit-log entries older than 30 days. |
host_permissions: <all_urls> | Fingerprint protection must run on every site to be effective. No page data is read or transmitted. |
9. Third-Party Services
The Shieldly browser extension uses no third-party analytics, advertising, SDKs, or tracking services.
The only third party involved — and only if you purchase Pro — is our payment processor Creem.io, who handles checkout and license issuance. Please refer to Creem.io's Privacy Policy for how they handle payment data. We do not receive your payment details; we only receive a license key via Creem's webhook.
10. Children's Privacy
Shieldly is not directed at children under 13. We do not knowingly collect any personal information from anyone, including children.
11. International Users & Data Transfers
Because Shieldly does not collect or transmit user data from the browser extension, there are no cross-border data transfers to disclose for the core product. For Pro license validation, requests are routed through Cloudflare's global edge network to Creem.io (EU-based); no user-identifying data is included.
12. GDPR / CCPA / PIPL Compliance
As Shieldly does not collect or process your personal data, it is compliant with GDPR (EU), CCPA (California), LGPD (Brazil), and PIPL (China). Shieldly is a client-side privacy tool, not a data controller or processor under these regulations.
Because we hold no user data, there is nothing to request, export, or delete from us — you can remove all local data at any time by uninstalling the extension.
13. Security
We take security seriously:
- Sensitive data is encrypted with AES-256-GCM (via the Web Crypto API) before being stored.
- The extension has no remote-code-execution surface; all code is bundled and signed by the Chrome Web Store.
- Our Cloudflare Worker runs with no persistent storage and no request-body logging.
If you discover a vulnerability, please email [email protected] with the subject line "Security Report".
14. Changes to This Policy
Any material changes to this privacy policy will be reflected in the extension update notes and in the "Last Updated" date above. Your continued use of Shieldly after changes become effective constitutes acceptance of the revised policy.
15. Contact
For questions about this privacy policy, contact us at [email protected] or open an issue on our GitHub repository.